b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Insufficient Attention Has Been Given to\n                 Ensure States Protect Taxpayer Information\n\n\n\n                                         August 31, 2007\n\n                              Reference Number: 2007-20-134\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               August 31, 2007\n\n\n MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Insufficient Attention Has Been Given to Ensure\n                              States Protect Taxpayer Information (Audit # 200720025)\n\n This report presents the results of our followup review to determine whether Federal tax\n information provided to third parties (in this case, State agencies) is protected from unauthorized\n access, use, and disclosure. We evaluated the effectiveness of the Internal Revenue Service\xe2\x80\x99s\n (IRS) actions to correct computer security weaknesses at State agencies that we had reported in\n September 2005.1 This audit is part of the statutory audit coverage under our Information\n Systems Programs unit and is included in the Treasury Inspector General for Tax\n Administration\xe2\x80\x99s Fiscal Year 2007 Annual Audit Plan.\n\n Impact on the Taxpayer\n The IRS provides taxpayers\xe2\x80\x99 personal and financial data to agencies in all 50 States to assist\n them in carrying out their own tax administration responsibilities. The IRS Safeguard Review\n program is responsible for ensuring the States provide adequate security over that information to\n prevent unauthorized disclosures that could be used for identity theft and other fraudulent\n activities. Without an effective Safeguard Review program, the IRS has little assurance the\n information provided to the States is adequately protected and funds are prudently spent on\n contractor support.\n\n\n\n\n 1\n  Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected (Reference\n Number 2005-20-184, dated September 2005).\n\x0c                         Insufficient Attention Has Been Given to Ensure States\n                                       Protect Taxpayer Information\n\n\n\n\nSynopsis\nAs a result of our 2005 review of the Safeguard Review program, the IRS agreed to:\n    \xe2\x80\xa2   Revise guidance to States found in Tax Information Security Guidelines for Federal,\n        State and Local Agencies and Entities (Publication 1075) for conducting their security\n        self-assessments to incorporate the recommended security controls described in the\n        National Institute of Standards and Technology (NIST)2 guidance required for all Federal\n        Government agencies.\n    \xe2\x80\xa2   Assign more staffing to the Mission Assurance and Security Services organization\xe2\x80\x99s\n        Safeguard Review program to provide adequate oversight to the States.\n    \xe2\x80\xa2   Improve the scope of IRS Safeguard Reviews by incorporating appropriate NIST\n        guidance into the computer security Safeguard Review process.\n    \xe2\x80\xa2   Use Plans of Action and Milestones to better monitor recommended corrective actions for\n        weaknesses identified.\nSince our 2005 review, the IRS has revised guidance to the States to incorporate the\nrecommended security controls described by the NIST. We anticipate the guidance will assist\nthe State agencies in performing more complete security assessments of their computer systems.\nTo improve the Safeguard Reviews, the IRS awarded a 5-year contract to Booz Allen Hamilton\nto supplement the Safeguards Review staff in conducting more reviews. However, the other\ncorrective actions to our prior report have not yet been taken or have not been effective to\nimprove the scope of the Safeguard Reviews and to monitor corrective actions. Also, the IRS is\nnot timely reporting the results of its Safeguard Reviews to the States. We attribute these\nweaknesses to the lack of management oversight.\nDuring the course of our review, we became very concerned at the lack of management attention\nbeing directed to the Safeguard Review program. As a result, we expanded our review to assess\nthe administration of the contract with Booz Allen Hamilton. Controls over the contract were\ninsufficient to ensure the Federal Government receives the services for which it contracted, on\ntime, and in accordance with specifications. Additional oversight for the contract is needed so\nthe IRS can ensure it is prudently spending the $1.4 million designated annually for the\nSafeguard Review program. Due to the poor contract oversight provided by the IRS, we\nrequested additional documentation from the contractor. We will report our assessment of the\ncontractor documentation in a future Office of Audit document.\n\n\n\n2\n The NIST is responsible for developing standards and guidelines for providing adequate information security for\nall Federal Government agency operations and assets.\n                                                                                                                   2\n\x0c                             Insufficient Attention Has Been Given to Ensure States\n                                           Protect Taxpayer Information\n\n\n\nIn July 2007, the IRS Mission Assurance and Security Services organization was realigned and\nthe responsibilities for the Safeguard Review program were transferred to the Small\nBusiness/Self-Employed Division. While the Small Business/Self-Employed Division has taken\nthe responsibility of responding to the recommendations in this report, we are issuing the report\nto the Chief, Mission Assurance and Security Services, at his request.\n\nRecommendations\nWe recommended the Chief, Mission Assurance and Security Services, provide management\noversight for the Safeguard Review program sufficient to ensure test plans used during\nSafeguard Reviews are revised and consistent with IRS guidance, the corrective action to our\nprior report is reopened to ensure the development and implementation of a Plan of Action and\nMilestones process, Safeguard Review results are provided timely to the States, task orders3\nclearly define deliverables for the contractor, and contractor billings are monitored to ensure\nfunds are prudently spent.\n\nResponse\nIRS management agreed with all of our recommendations. The Director, Communications,\nLiaison and Disclosure, Small Business/Self-Employed Division, will initiate additional changes\nto the recently revised Publication 1075 to incorporate guidance for executing test plans used in\nSafeguard Reviews. The corrective action corresponding to the followup and monitoring of\ncorrective actions will be reopened, and a Plan of Action and Milestones process will be\ndeveloped. Also, Safeguard Review results will be provided to the States within 30 calendar\ndays of the review, but not later than 45 calendar days after the closing conference, in accordance\nwith IRS procedures. A monthly monitoring plan will be developed to track reports and ensure\nfollowup actions have been taken on a timely basis.\nThe Small Business/Self-Employed Division has assigned a task representative to work with the\nContracting Officer\xe2\x80\x99s Technical Representative and manage all aspects of contract support. The\ntask representative will oversee the contractors\xe2\x80\x99 work and perform monthly contract reviews to\nensure the accuracy of the invoices and that work authorized is completed in accordance with the\nwork requests. Work requests will be signed by the task representative, the Contracting Officer\xe2\x80\x99s\nTechnical Representative, and the contractor manager prior to starting work and upon\ncompletion of the task. In addition, a project manager has been added to the Safeguards Review\nstaff to provide guidance, oversight, and monitoring of the program contract. Management\xe2\x80\x99s\ncomplete response to the draft report is included as Appendix IV.\n\n\n3\n    A task order is an order for services placed against an established contract.\n\n\n                                                                                                  3\n\x0c                    Insufficient Attention Has Been Given to Ensure States\n                                  Protect Taxpayer Information\n\n\n\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                             4\n\x0c                             Insufficient Attention Has Been Given to Ensure States\n                                           Protect Taxpayer Information\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Actions Have Been Taken to Improve the Scope of State Safeguard\n          Activity Reports ............................................................................................Page 3\n          Adequate Actions Have Not Been Taken to Improve Internal Revenue\n          Service Safeguard Reviews...........................................................................Page 3\n                    Recommendation 1:..........................................................Page 5\n\n                    Recommendations 2 and 3: ................................................Page 6\n\n          The Office of Privacy and Information Protection Is Not Adequately\n          Monitoring Contracting Actions ...................................................................Page 6\n                    Recommendation 4:..........................................................Page 7\n\n                    Recommendation 5:..........................................................Page 8\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 9\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 11\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 12\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 13\n\x0c       Insufficient Attention Has Been Given to Ensure States\n                     Protect Taxpayer Information\n\n\n\n\n                   Abbreviations\n\nIRS          Internal Revenue Service\nNIST         National Institute of Standards and Technology\n\x0c                         Insufficient Attention Has Been Given to Ensure States\n                                       Protect Taxpayer Information\n\n\n\n\n                                           Background\n\nInternal Revenue Code Section 6103 authorizes the\nInternal Revenue Service (IRS) to disclose Federal tax\ninformation to various State and Federal Government                    The Safeguard Review program\nagencies. In 2005, the IRS provided taxpayer                            should ensure State agencies\ninformation to all 50 States, whose tax agencies can use                    receiving Federal tax\n                                                                       information maintain adequate\nthe information to identify nonfilers of State tax returns,            safeguards to protect the data.\ndetermine discrepancies in the reporting of income,\nlocate delinquent taxpayers, and determine whether IRS\nadjustments have State tax consequences.\nAs a condition for receiving Federal tax information, State tax agencies must have physical and\ncomputer system safeguards designed to prevent unauthorized accesses and use of this\ninformation. Before a State tax agency receives Federal tax information, it must submit a\nSafeguard Procedures Report to the IRS for approval. The Safeguard Procedures Report\ndescribes how the State will protect and safeguard the tax information. In addition, States are\nrequired to annually file Safeguard Activity Reports to describe any changes to their safeguard\nprocedures, advise the IRS of future actions that will affect safeguard procedures, and certify\nthey are protecting the data.\nThe Safeguard Review program within the Office of Privacy and Information Protection in the\nMission Assurance and Security Services organization should ensure State agencies receiving\nFederal tax information maintain adequate safeguards to protect the data. It is responsible for\nconducting Safeguard Reviews of each State agency receiving Federal tax information at least\nonce every 3 years. The Safeguard Reviews should evaluate the State agencies\xe2\x80\x99 compliance with\nsecurity procedures to ensure the information is adequately protected.\nIn 2003, we reported1 that Federal tax information was at risk while in the possession of State tax\nagencies. In 2005, we followed up2 on the 2003 report and determined these problems persisted.\nWe also noted that State agencies\xe2\x80\x99 Safeguard Activity Reports were not effective because they\ndid not adequately test security controls. In addition, IRS Safeguard Reviews were not effective\nbecause adequate staffing had not been assigned to conduct a sufficient number of reviews, the\nscope of reviews was insufficient, and the IRS did not have an adequate process to track\ncorrective actions on weaknesses identified.\n\n\n1\n  Computer Security Weaknesses at State Agencies Put Federal Tax Information at Risk (Reference\nNumber 2003-20-064, dated February 2003).\n2\n  Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected (Reference\nNumber 2005-20-184, dated September 2005).\n                                                                                                         Page 1\n\x0c                     Insufficient Attention Has Been Given to Ensure States\n                                   Protect Taxpayer Information\n\n\n\nDuring the review, the Mission Assurance and Security Services organization was realigned.\nThe responsibility for the Safeguard Review program was transferred to the\nSmall Business/Self-Employed Division in July 2007.\nTo follow up on the IRS\xe2\x80\x99 actions to correct these conditions, we conducted this review at the\nOffice of the Chief, Mission Assurance and Security Services, in Washington, D.C., during the\nperiod December 2006 through May 2007. The audit was conducted in accordance with\nGovernment Auditing Standards. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                        Page 2\n\x0c                         Insufficient Attention Has Been Given to Ensure States\n                                       Protect Taxpayer Information\n\n\n\n\n                                      Results of Review\n\nActions Have Been Taken to Improve the Scope of State Safeguard\nActivity Reports\nIn 2005, we reported significant control weaknesses at the States we reviewed and determined\nthe States were not conducting adequate self-assessments of their security controls. We\nrecommended the IRS revise Tax Information Security Guidelines for Federal, State and Local\nAgencies and Entities (Publication 1075) to incorporate the security controls described in the\nNational Institute of Standards and Technology (NIST)3 Recommended Security Controls for\nFederal Information Systems (Special Publication 800-53). This NIST document must be\nfollowed by Federal Government agencies, and the NIST encourages its use by other\norganizations.\nIn response to our report, the IRS agreed to revise Publication 1075 and issued the revision in\nFebruary 2007. We compared Publication 1075 to NIST Special Publication 800-53 and\ndetermined it did address the necessary security controls. We anticipate the revised\nPublication 1075 will provide guidance for the State agencies to perform more complete security\nassessments of their computer systems.\n\nAdequate Actions Have Not Been Taken to Improve Internal Revenue\nService Safeguard Reviews\nIn 2005, we reported that the IRS Safeguard Reviews were inadequate and incomplete. We\nrecommended and the IRS agreed to take the following actions to improve its Safeguard Reviews\nof the States:\n    \xe2\x80\xa2   Assign more staffing to the Mission Assurance and Security Services organization\xe2\x80\x99s\n        Safeguard Review program to provide adequate oversight to the States.\n    \xe2\x80\xa2   Improve the scope of IRS Safeguard Reviews by incorporating appropriate NIST Special\n        Publication 800-53 security controls into the computer security Safeguard Review\n        process.\n    \xe2\x80\xa2   Use Plans of Action and Milestones to better monitor recommended corrective actions for\n        weaknesses identified.\n\n\n3\n The NIST is responsible for developing standards and guidelines for providing adequate information security for\nall Federal Government agency operations and assets.\n                                                                                                          Page 3\n\x0c                      Insufficient Attention Has Been Given to Ensure States\n                                    Protect Taxpayer Information\n\n\n\nIn response to our recommendation to assign additional staffing, the Office of Privacy and\nInformation Protection awarded a 5-year contract in May 2006 to Booz Allen Hamilton to\nsupplement the Safeguards Review staff and help meet its requirements to conduct the\nappropriate number of Safeguard Reviews each year. During Fiscal Years 2005 and 2006, the\nIRS, with assistance from the contractor, conducted 152 Safeguard Reviews of State agencies\nreceiving Federal tax information. The additional resources provided by the contractor have had\na positive impact on the number of Safeguard Reviews conducted of State agencies.\nThe IRS has not taken sufficient actions in response to our recommendation to improve the scope\nof the Safeguard Reviews. Language included in the contract with Booz Allen Hamilton\nrequired the contractor to update Safeguard Review test plans and customize them as needed,\ndepending on the operating systems used by the States. However, the contract does not define\nhow the test plans are to be updated, specifically that they should incorporate the NIST Special\nPublication 800-53 security controls.\nAdditionally, the number of test plans to be updated or customized is not defined in the contract.\nWhile the contractor has revised test plans for six operating systems to include many of the\ncontrol areas described in NIST Special Publication 800-53, these test plans are still in draft form\nand are currently not being used. When asked, IRS management stated they did not know when\nthe contractor was scheduled to complete the revision of these 6 and the remaining 16 test plans\nor when they would be available for use.\nThe Safeguard Reviews conducted in Fiscal Years 2006 and 2007 followed the test plans used\nprior to our 2005 audit. These plans did not adequately address tests for some of the controls\nincluded in NIST Special Publication 800-53, such as incident response, risk assessments, and\ncontingency planning. Until these documents are updated and followed by contractors\nconducting the tests, the IRS will not be assured that States are adequately protecting Federal tax\ninformation. The corrective actions associated with our recommendation are due to be\ncompleted in October 2008.\nIn response to our recommendation to use Plans of Action and Milestones, the IRS agreed to\nimplement this process by August 2006. In May 2006, the IRS formally closed the\nrecommendation by stating it had implemented the process. During this review, we determined\nthe IRS has not implemented the use of Plans of Action and Milestones and still does not have a\nprocess to monitor security weaknesses identified during Safeguard Reviews. Management in\nthe Office of Privacy and Information Protection stated that an automated Plan of Action and\nMilestones tool is under development by the contractor, but a delivery date was unknown. When\nasked, the IRS could provide no explanation as to why it had stated its actions to implement the\nPlans of Action and Milestones process were completed in May 2006.\nWithout a formalized process, the States are not held accountable for addressing weaknesses\nfound during their tests and the tests conducted by the Mission Assurance and Security Services\n\n\n                                                                                             Page 4\n\x0c                     Insufficient Attention Has Been Given to Ensure States\n                                   Protect Taxpayer Information\n\n\n\norganization. As a result, the IRS cannot be certain that deficiencies found during Safeguard\nReviews are timely and efficiently corrected.\nAlso, the IRS was not timely reporting the results of its Safeguard Reviews to the States. IRS\nprocedures state Safeguard Review reports should be provided to State agencies within\n30 calendar days of the review but not later than 45 calendar days after the closing conference.\nFor 2006 and 2007, we reviewed all 18 Safeguard Review reports issued to State tax agencies\nand determined these reports were issued an average of 81 calendar days after completion of\nonsite reviews. With these delays, security weaknesses identified in Safeguard Reviews may go\nunaddressed for months, increasing the risk that Federal tax information may be inappropriately\naccessed or used.\nSecurity weaknesses at the States could provide opportunities for hackers, disgruntled\nemployees, and contractors to access Federal tax information for unauthorized use and identity\ntheft purposes. Without an adequate Safeguard Review program, the IRS has little assurance that\nStates are maintaining adequate controls over Federal tax information.\nWe attribute the inability to improve the IRS Safeguard Review program to a lack of\nmanagement attention and oversight. While sufficient funding has been provided to increase the\nnumber of reviews conducted, little emphasis has been placed on enhancing the scope of the\nreviews, ensuring actions to improve security vulnerabilities are monitored, and ensuring review\nresults are reported timely. Also, IRS employees and contractors were being provided little\ndirection, their work was not being adequately monitored, and desk procedures were not\navailable.\n\nRecommendations\nTo address these weaknesses, the Chief, Mission Assurance and Security Services, should\nprovide management oversight for the Safeguard Review program sufficient to ensure:\nRecommendation 1: The test plans used during Safeguard Reviews are revised and\nconsistent with the guidance found in IRS Publication 1075.\n       Management\xe2\x80\x99s Response: Management agreed with the recommendation. At this\n       time, the contractor has revised most of the Safeguard Computer Security Evaluation\n       Matrices, making them consistent with the requirements of NlST Special\n       Publication 800-53. Communications are pending to all agencies advising them that they\n       will be held to the new standards effective October 1, 2007. The Director,\n       Communications, Liaison and Disclosure, Small Business/Self-Employed Division, will\n       initiate additional changes to the guidance provided in the recently revised\n       Publication 1075 (dated February 2007) to stagger reporting deadlines for Safeguard\n       Activity Reports, as well as incorporate additional guidance for executing test plans used\n       in Safeguard Reviews.\n\n                                                                                            Page 5\n\x0c                             Insufficient Attention Has Been Given to Ensure States\n                                           Protect Taxpayer Information\n\n\n\nRecommendation 2: The corrective action corresponding to the followup and monitoring of\ncorrective actions is reopened, and a Plan of Action and Milestones process is developed and\nimplemented.\n           Management\xe2\x80\x99s Response: Management agreed with the recommendation. The\n           corrective action corresponding to the followup and monitoring of corrective actions will\n           be reopened and a Plan of Action and Milestones process will be developed. The\n           majority of development work on the newly designed automated Plan of Action and\n           Milestones monitoring tool has been completed by the contractor.\nRecommendation 3: The Safeguard Review results are provided timely to the States.\n           Management\xe2\x80\x99s Response: Management agreed with the recommendation.\n           Safeguard Review results will be provided to the States within 30 calendar days of the\n           review, but not later than 45 calendar days after the closing conference, in accordance\n           with IRS procedures. Management will develop a monthly monitoring plan to track\n           reports and ensure followup actions have been taken on a timely basis.\n\nThe Office of Privacy and Information Protection Is Not Adequately\nMonitoring Contracting Actions\nDuring the course of our review, we became very concerned at the lack of management attention\nbeing directed to the Safeguard Review program. As a result, we expanded our review to assess\nthe administration of the contract with Booz Allen Hamilton. IRS procedures state the purpose\nof contract administration is to ensure the Federal Government receives the services for which it\ncontracted, on time, and in accordance with specifications.\nThe IRS has budgeted $1.4 million annually for contractor support of the Safeguard Review\nprogram. However, the Office of Privacy and Information Protection is not providing sufficient\noversight for the use of these funds and the contractor\xe2\x80\x99s actions. Specifically:\n       \xe2\x80\xa2   In January 2007, task orders4 for Safeguard Review site visits performed as far back as\n           June 2006 were signed after the fact by the Mission Assurance and Security Services\n           organization and approved by the Contracting Officer\xe2\x80\x99s Technical Representative. We\n           were advised that the contractor, not the IRS, requested the task orders.\n       \xe2\x80\xa2   The task orders described above listed \xe2\x80\x9cTBD\xe2\x80\x9d (To Be Determined) for the number of\n           estimated hours needed to establish and manage a Program Office to administer the\n           contract and to perform Safeguard Reviews.\n       \xe2\x80\xa2   Three of the eight contractor payment vouchers were not authorized in writing by\n           Mission Assurance and Security Services organization management.\n\n4\n    A task order is an order for services placed against an established contract.\n                                                                                              Page 6\n\x0c                     Insufficient Attention Has Been Given to Ensure States\n                                   Protect Taxpayer Information\n\n\n\n   \xe2\x80\xa2   The IRS does not have a process in place to collect data needed to perform a validation of\n       the hours billed by the contractor. Without an effective process to collect such data, the\n       IRS is forced to rely on data the contractor provides. The IRS has received monthly\n       reports from the contractor detailing the number of hours charged to each task order.\n       However, these reports do not specify how many hours were charged to specific tasks,\n       such as a site visit or revision of test plans.\n   \xe2\x80\xa2   Contract language is vague regarding deliverables expected by the IRS. The only\n       deliverable described in the contract is the Safeguard Review reports. Consequently,\n       there is no expectation regarding the development and maintenance of workpapers\n       supporting the work performed during a Safeguard Review. Our examination of the\n       workpaper files for reviews conducted in 2006 and 2007 determined the files were\n       incomplete and disorganized. Files for 9 of the 28 reviews we attempted to find were\n       missing, and files for 10 other reviews were missing significant documentation such as\n       review plans, minutes from opening and closing conferences for site reviews, and the\n       most recent Safeguard Activity Reports from the State agency. As a result, the IRS\n       acknowledged it had no way to gauge the adequacy of work performed by the contractor.\nEssentially, the IRS is allowing the contractor to dictate the terms of the contract and to\ndetermine the amount of funds spent. When asked how oversight is provided to the contractor,\nIRS management responded that the contractor is trusted and its employees are professionals.\nWithout adequate oversight for contracting actions, the IRS cannot ensure it is prudently\nspending the $1.4 million designated for the Safeguard Review program. Due to the poor\ncontract oversight provided by the IRS, we requested additional documentation from the\ncontractor and are continuing to review that documentation. We will report our assessment of\nthe contractor documentation in a future Office of Audit document.\n\nRecommendations\nTo address these weaknesses, the Chief, Mission Assurance and Security Services, should\nprovide executive and management oversight for the Safeguard Review program sufficient to\nensure:\nRecommendation 4: Task orders clearly define the staff hours needed per task and the\ncontractor deliverables for the remaining years of the Safeguard Review program contract.\n       Management\xe2\x80\x99s Response: Management agreed with the recommendation. The\n       Small Business/Self-Employed Division has assigned a task representative to work with\n       the Contracting Officer\xe2\x80\x99s Technical Representative and manage all aspects of contract\n       support. This task representative will ensure work requests are written for each task area\n       and clearly define 1) the description of the work to be performed in accordance with the\n       statement of work; 2) skill categories and estimated hours per category; 3) required\n\n                                                                                            Page 7\n\x0c                    Insufficient Attention Has Been Given to Ensure States\n                                  Protect Taxpayer Information\n\n\n\n      products, due dates, and specific acceptance criteria; 4) performance site; and 5) any\n      additional Federal Government-furnished equipment the contractor may need to complete\n      the task. Work requests will be signed by the task representative, the Contracting\n      Officer\xe2\x80\x99s Technical Representative, and the contractor manager prior to starting work and\n      upon completion of the task. Six key work requests have been identified and will be\n      focused on through December 31, 2007. In addition, a project manager has been added to\n      the Safeguards Review staff to provide guidance, oversight, and monitoring of the\n      program contract.\nRecommendation 5: Contractor billings are monitored, and contract hours allocated by task\nare validated to ensure funds are prudently spent.\n      Management\xe2\x80\x99s Response: Management agreed with the recommendation. The\n      Small Business/Self-Employed Division will ensure contractors report hours charged to\n      the contract by task area. Management will ensure a work request is in place for each\n      task area. The assigned dedicated task representative will oversee the contractor\xe2\x80\x99s work\n      and perform monthly contract reviews to ensure the accuracy of the invoices and that\n      work authorized is completed in accordance with the work requests. During the contract\n      review, the task representative will review the following contractor-prepared reports prior\n      to their review and approval by the Contracting Officer\xe2\x80\x99s Technical Representative:\n      1) Monthly Status Reports that document work performed and labor hours spent by task\n      area, 2) work requests, and 3) invoices. Issues, if any, will be elevated to the Contracting\n      Officer\xe2\x80\x99s Technical Representative to be addressed with the contractor.\n\n\n\n\n                                                                                           Page 8\n\x0c                         Insufficient Attention Has Been Given to Ensure States\n                                       Protect Taxpayer Information\n\n\n\n                                                                                                 Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this audit was to determine whether Federal tax information provided to\nthird parties (in this case, State agencies) is protected from unauthorized access, use, and\ndisclosure. To accomplish this objective, we conducted followup tests to evaluate the\neffectiveness of the IRS\xe2\x80\x99 actions to correct computer security weaknesses at State agencies we\nhad reported in September 2005.1 Specifically, we:\nI.      Assessed the adequacy of the IRS Safeguard Review process.\n        A. Reviewed documentation to determine the adequacy of the scope of IRS Safeguard\n           Reviews conducted in Fiscal Years 2006 and 2007 at State tax agencies.\n             1. Determined whether Tax Information Security Guidelines for Federal, State and\n                Local Agencies and Entities (IRS Publication 1075) had been revised to\n                incorporate the recommended security controls described in NIST2 Recommended\n                Security Controls for Federal Information Systems (Special Publication 800-53).\n             2. Reviewed all Safeguard Review Reports issued to State tax agencies during Fiscal\n                Years 2006 and 2007 to determine adequacy of the scope of review.\n             3. Reviewed all available Safeguard Review files for reviews conducted at State tax\n                agencies in Fiscal Years 2006 and 2007 to determine adequacy of supporting\n                documentation.\n             4. Reviewed the test plans developed by contractor Booz Allen Hamilton and used\n                in the Safeguard Reviews to determine whether the plans include the required\n                security controls for a moderate risk control baseline listed in NIST Special\n                Publication 800-53.\n             5. Determined whether adequate oversight was provided to the Booz Allen Hamilton\n                contract employees while they developed the revised test plans.\n             6. Determined whether the States submitted self-assessments to the IRS and whether\n                these assessments were used in determining/customizing the scope of the\n                Safeguard Reviews.\n\n\n1\n  Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected (Reference\nNumber 2005-20-184, dated September 2005).\n2\n  The NIST is responsible for developing standards and guidelines for providing adequate information security for\nall Federal Government agency operations and assets.\n                                                                                                           Page 9\n\x0c                         Insufficient Attention Has Been Given to Ensure States\n                                       Protect Taxpayer Information\n\n\n\n        B. Reviewed documentation to determine whether the IRS is providing timely results of\n           the Safeguard Reviews to the State agencies.\n        C. Reviewed documentation to determine whether the process developed in May 2006\n           for implementing a Plan of Action and Milestones3 to manage recommended\n           corrective actions has been implemented.\nII.     Reviewed contract and process documentation to determine whether the Safeguard\n        Review process has sufficient resources to complete the required number of Reviews.\n        A. Reviewed contract documentation, including task orders,4 for Safeguard Reviews\n           performed by Booz Allen Hamilton employees to determine whether:\n             1. An adequate number of staff resources with appropriate technical expertise were\n                detailed in contract language.\n             2. The actual funding for both the IRS and the contractor staffs have been increased\n                appropriately.\n        B. Determined whether the schedule in place to accomplish these Reviews was\n           consistent with the staffing resources available.\n        C. Determined whether the Reviews of State agencies are performed at least once every\n           3 years, as required by Internal Revenue Code Section 6103.\nIII.    Determined whether IRS management oversight for the Booz Allen Hamilton contract\n        was adequate.\n        A. For the Fiscal Year 2007 Safeguard Reviews, determined the staff hours by skill/labor\n           category (such as Senior Information Technology Specialist, Junior Information\n           Technology Specialist) planned for Booz Allen Hamilton staff support.\n        B. Determined the procedures in place for the IRS Office of Privacy and Information\n           Protection to evaluate the accuracy of the staff hours billed monthly by Booz Allen\n           Hamilton.\n        C. Obtained the monthly billing vouchers submitted by Booz Allen Hamilton and\n           reviewed to ensure appropriate approvals were obtained.\n        D. For the Fiscal Year 2007 schedule, determined whether Booz Allen Hamilton\n           monthly billing vouchers reconciled with the number of Booz Allen Hamilton\n           staff hours provided during fieldwork.\n\n\n3\n  The NIST defines a Plan of Action and Milestones as a plan developed to prioritize identified weaknesses and\nassign dates for remediation.\n4\n  A task order is an order for services placed against an established contract.\n                                                                                                          Page 10\n\x0c                    Insufficient Attention Has Been Given to Ensure States\n                                  Protect Taxpayer Information\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen R. Mullins, Director\nMarybeth H. Schumann, Audit Manager\nMyron L. Gulley, Lead Auditor\nRichard T. Borst, Senior Auditor\nAbraham B. Millado, Senior Auditor\nThomas P. Nacinovich, Senior Auditor\nJoan M. Raniolo, Senior Auditor\nWilliam Simmons, Senior Auditor\nEsther M. Wilson, Senior Auditor\n\n\n\n\n                                                                                     Page 11\n\x0c                   Insufficient Attention Has Been Given to Ensure States\n                                 Protect Taxpayer Information\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nCommissioner, Small Business/Self-Employed Division SE:S\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Small Business/Self-Employed SE:S\n       Chief Information Officer OS:CIO\n\n\n\n\n                                                                        Page 12\n\x0c      Insufficient Attention Has Been Given to Ensure States\n                    Protect Taxpayer Information\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 13\n\x0cInsufficient Attention Has Been Given to Ensure States\n              Protect Taxpayer Information\n\n\n\n\n                                                     Page 14\n\x0cInsufficient Attention Has Been Given to Ensure States\n              Protect Taxpayer Information\n\n\n\n\n                                                     Page 15\n\x0cInsufficient Attention Has Been Given to Ensure States\n              Protect Taxpayer Information\n\n\n\n\n                                                     Page 16\n\x0cInsufficient Attention Has Been Given to Ensure States\n              Protect Taxpayer Information\n\n\n\n\n                                                     Page 17\n\x0cInsufficient Attention Has Been Given to Ensure States\n              Protect Taxpayer Information\n\n\n\n\n                                                     Page 18\n\x0c'